Kamailio
CVE-2025-12206
LOW
Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A flaw has been found in Kamailio 5.5. The impacted element is the function rve_is_constant of the file src/core/rvalue.c. This manipulation causes null pointer dereference. The attack needs to be launched locally. The exploit has been published and may be used. It is still unclear if this vulnerability genuinely exists. This attack requires manipulating config files which might not be a realistic scenario in many cases. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Kamailio 5.5.0 suffers a null pointer dereference in the rve_is_constant function (src/core/rvalue.c) triggered by manipulation of local configuration files, resulting in denial of service. The attack requires local access with low privileges and produces only availability impact. Publicly available exploit code exists, but active exploitation has not been confirmed by CISA KEV, and the vulnerability's genuine existence remains disputed by the original reporter. Real-world risk is minimal given the low EPSS score (0.03%), requirement for config file manipulation, and minimal impact surface.
Technical ContextAI
Kamailio is an open-source SIP (Session Initiation Protocol) server and router used for VoIP and telephony infrastructure. The vulnerability exists in the rvalue.c module, which handles runtime value evaluation and parsing of Kamailio configuration directives. The rve_is_constant function is responsible for determining whether an rvalue expression can be evaluated as a constant at configuration parse time. CWE-404 (improper resource validation) indicates the code fails to validate or properly handle a null pointer before dereferencing it. This occurs during configuration file parsing when a malformed or specifically crafted rvalue expression is processed, causing the function to dereference a null pointer when validating expression constancy. The attack vector is local (AV:L) and requires low privileges (PR:L), meaning a user with restricted system access can trigger the flaw by editing or injecting a malicious config file.
RemediationAI
No vendor-released patch has been identified at the time of analysis. Because the vendor did not respond to early disclosure, no official fix version is available. Immediate remediation focuses on compensating controls: restrict write permissions on Kamailio configuration files (typically /etc/kamailio/kamailio.cfg and included files) to the kamailio process owner and root only, preventing unauthorized local users from modifying rvalue expressions. Audit configuration file access logs using tools such as auditd (Linux) to detect unauthorized modification attempts. For environments where config flexibility is critical, consider running Kamailio in a containerized or virtualized sandbox with restricted privilege escalation, though this has minimal operational benefit given the local-only attack vector. Monitor upstream Kamailio repository (https://github.com/kamailio/kamailio) for security advisories and consider upgrading to a 5.6+ series if available and compatible with your deployment. Do not rely solely on this CVE for patching decisions; coordinate remediation with broader access control and configuration management policies.
Share
External POC / Exploit Code
Leaving vuln.today